Comments on: howto://use TMG 2010 as the Exchange edge transport server

By: JRV

JRV — Thu, 02 Feb 2012 18:06:32 +0000

Adding to Ed’s comment, MS has done a good job of integrating EX Edge, TMG & FPE, making it about as painless a mail hygiene solution as you could hope for. And it’s the only anti-spam I’m aware of that’s integrated with Outlook’s Safe Senders List, making it easy for users to manage their own whitelists. Unless you’re already invested in another mail hygiene product and can’t or don’t want to change, definitely use Edge + TMG + FPE.

By: Ed Fisher

Ed Fisher — Thu, 02 Feb 2012 17:56:35 +0000

TMG email protection works fine by itself, but it does not have all the functionality of Forefront Protection for Exchange (FPE.) If you want the full anti-X capabilities, you will want to install FPE. For example, TMG will protect your email servers from attacks against email services, but does not protect your users from malware within an email. See this and this for details. If you only want to protect your servers, TMG is enough. If you want to protect your users, you want FPE or other third party anti-x solution. Ed

By: Ed Fisher

Ed Fisher — Thu, 02 Feb 2012 17:50:48 +0000

Merz,
It is ok to have single TMG installation with EDGE on top of it, and to install EDGE after TMG is installed. That is fine and is what I did.
Ed

By: Merz

Merz — Thu, 02 Feb 2012 11:16:46 +0000

Hey Ed,

thank you for your reply

i don’t want to deal with two (FE and BE) TMG servers, i have started this way but then i decided to go with one instance of TMG

my another concern is that is it ok to have single TMG installation with EDGE on top of it and to install EDGE after TMG is installed, or should start my installation from beginning and install EDGE and then TMG

P.S. once again. i cannot get the same functional if edge installed in another box?

i have another questions to you i will back to them later

By: jerome

jerome — Thu, 02 Feb 2012 08:42:49 +0000

Hi there,

we need to install Exchange Edge Transport and Forefront Protection 2010 for Exchange Server in order to have it function successfully as a SMTP gateway with full Email AV, Antispam and Malware protection? How about if we only implement TMG eMail policy does it work itself?

thank you.

By: Ed Fisher

Ed Fisher — Wed, 01 Feb 2012 15:05:37 +0000

Merz,
In your situation I would do exactly what I did in this post. I had my TMG up and running and just added Exchange Edge Transport on top of it, and it worked fine. If you don’t want to do that, then
Internet->TMG external->TMG DMZ->Edge Transport
and publish the mail server role on the Edge Transport using the TMG publishing wizard.
Either way will work fine, and with FPE installed on your Edge, you will get all the protection it offers.
HTH
Ed

By: Merz

Merz — Tue, 31 Jan 2012 15:36:12 +0000

Thank you for your effort creating this blog posts.

this blog post stuck me in front of endless! -)

i will copy my text from some forum. i hope i will get right answer here

I’m setting up new company infrastructure and I need your expert support to clarify few things!

What I had installed so far, Domain Infrastructure domain.root, Exchange 2010 with all roles on single box, TMG with 3 network cards (Internal, DMZ, External)

I’m stuck on my way of installing Exchange 2010 EDGE Server. I have planned to install EDGE server in DMZ as standalone machine and publish SMTP via TMG to Internet and setup EdgeSync to HUB in Internal network.

After I have installed EDGE server on standalone machine in DMZ and I have run Microsoft Forefront Protection for Exchange setup. At this point I have found blog post where it’s recommended to install EDGE server along with TMG on the single box to have ability to use all features of TMG email scanning. All other blogs discussing the same installation type and i even found instruction on MS site regarding this setup

This is really confused me.

My first main questions is: Is it really necessary to install Exchange EDGE role on the same box where TMG installed to have ability use all functionality of email scanning?

Another question is: What I will lose if I would install EDGE on separate box in DMZ behind protected by TMG?

In addition: It’s highly recommended to install EDGE server first and then TMG. But my TMG box is ready and don’t want to do configurations steps again
——————————————————————————-

can i achieve all tmg email scanning featutures without installing EDGE role on TMG itself. i don’t want to loadmy firewall and proxy for users with Exchange EDGE installation

thank you

By: Ed Fisher

Ed Fisher — Thu, 24 Nov 2011 11:36:16 +0000

Hi Harshal
Jeff must either stay up later, or get up earlier, because he beat me to it. He’s quite correct.
Server and all SPs and patches
Then TMG
Then Exchange Edge Transport role
Then FPE
Ed

By: Jeff Vandervoort

Jeff Vandervoort — Thu, 24 Nov 2011 06:08:15 +0000

Harshal, hate to tell you this, but TMG has to go on the machine before Exchange Edge. Follow the steps in the sequence in the article and you should be in good shape.

By: Harshal

Harshal — Thu, 24 Nov 2011 05:51:58 +0000

Dear Ed,
First of all, I would like to thank you for this article. It helped me a lot.

I have installed TMG 2010 on Edge transport in a workgroup environment (not a domain member). First I installed Edge & check my inbound & outbound mail flow. It worked perfectly fine. Then I installed TMG on it & configured Email policy. But then in TMg console under monitoring section, it says either Email configuration policy could not be applied as either Edge Transport or Forefront Protection for Exchange is not installed. So my question is, how did you get TMG & its features for Email content filter work without FPE?

Just FYI, I also installed FPE then but then TMG managed control serivce crashed & cannot start. So next question is what is the correct order for all the three products towork properly? please correct me if I am wrong & my approach is
1. Windows 2008 R2 Ent x64
2. AD LDS
3. Edge Transport Role
4. FPE
5. TMG 2010

I did install as per the above order but still Email Policy cannot be applied but I can send & receive emails without any issues.

I would really appreciate your answers
Regards,

Harshal

By: Ed Fisher

Ed Fisher — Wed, 23 Nov 2011 19:05:14 +0000

Rock on! Thanks for letting us know.

By: Aaron

Aaron — Wed, 23 Nov 2011 18:26:22 +0000

Thanks, it was indeed my network configuration, fixed that and also deleted an old entry in a hosts file on the mail server and i’m good to go. Thanks a lot guys.

By: JRV

JRV — Mon, 21 Nov 2011 21:54:27 +0000

Spoofing errors occur when a packet arrives at an interface sent from an IP address OTHER THAN what TMG is expecting it on. Is the 5.x.x.x subnet in the definition for the Network?

By: Ed Fisher

Ed Fisher — Mon, 21 Nov 2011 21:53:53 +0000

I believe the most important clue is this one

The error I get keeps telling me that the source IP address is spoofed. The source IP is the same each time I see the error, but the source port seems to be different every time.

Check your network definitions on the TMG to make sure what is EXTERNAL is properly defined. With a two-NIC setup, your internal address space should be internal, and that should NOT include your DMZ addresses. The error message comes from the TMG getting traffic from a source ip.addr that is associated with a different zone. So if your DMZ subnet is included in the ranges of the INTERNAL network, and traffic from a DMZ ip.addr hits the NIC on the TMG associated with the external network, TMG flags it as spoofed. Since your source is a RIPE network, but we know it is your Edge server in your DMZ, I am pretty sure your network definitions are borked.

TMG Console
Networking
Network tab
confirm the ip.addrs in the Internal network…everything else (DMZ and Internet) is external.

Let me know if that fixes it for you.
Ed

By: Aaron

Aaron — Mon, 21 Nov 2011 21:34:38 +0000

Great articles regarding TMG and exchange, best I’ve found in my attempts to google for answers.

I’m wondering if you have any ideas that could help me out, I’m in the banging my head against the desk stage of my troubleshooting.

My setup: single mail server in LAN with CAS role, edge server in DMZ with TMG 2010 double NIC’s, domain joined on one NIC and DMZ on the other.

I’ve run through all of your TMG publishing setups and i have green boxes for all connection tests for OWA and etc. I also had a successful edgesubscription between my mail server and my mail edge server and I have been sending and receiving mail successfully for months, until I installed TMG 2010.

I made a firewall policy rule that allows “LDAPS (EdgeSync)” between my hub transport and local host like JRV mentions before trying to make a new edgesubscription. When I run the command from powershell as administrator “start-edgesubscription” from my CAS, I get the following error: “could not connect LDAP server is unavailable”. My TMG 2010 log, shows that it denied a connection from my mail server to my mailedge server for the LDAPS protocol on port 50636, even though i made a rule that allows LDAPS(EdgeSync) and LDAP between the exact IP’s that it shows it has denied. For troubleshooting purposes I have allowed LDAPS from pretty much every source I can think of, explicitly put the IP’s in the rule that the log says are the source and destination, as well as internal, external, and etc.

The error I get keeps telling me that the source IP address is spoofed. The source IP is the same each time I see the error, but the source port seems to be different every time.

Error:

Denied Connection MAILEDGE 11/21/2011 2:08:22 PM
Log type: Firewall service
Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
Rule: None – see Result Code
Source: Internal (5.0.0.212:14050)
Destination: Local Host (10.10.10.12:50636)
Protocol: LDAPS(EdgeSync)
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 5.0.0.212

Any ideas?